Carnival Cruise

NYDFS penalizes Carnival $5M for cybersecurity failures


The New York State Department of Financial Services announced a $5 million penalty against Carnival Corp. for “significant” cybersecurity failures, including not implementing basic protocols to prevent four separate data breaches from 2019-21.


Carnival reaches $1.25M settlement over 2019 data breach


Carnival Cruise Line reached a $1.25 million settlement with 46 attorneys general stemming from its 2019 data breach that involved the personal information of 180,000 Carnival employees and customers nationwide.

TPRM2022 Linda Tuck Chapman

Five prevailing themes from TPRM Summit


Editor In Chief Kyle Brasseur recaps popular points of discussion across Compliance Week’s two-day Third-Party Risk Management Summit held in Chicago.

300x200 logo

Webcast: Importance of adopting a cybersecurity risk management framework

2022-06-16T14:00:00+01:00Provided by

More and more commercial organizations are voluntarily adopting cybersecurity risk management frameworks like NIST CSF, COBIT, ISO, and others considering recent legislation, executive orders, and reporting requirements.

Cybersecurity offices

Survey: Cyber threats, remote work, financial pressures key ABC concerns for 2022

2022-06-15T19:06:00+01:00By Adrianne Appel

Compliance programs globally expect to shoulder more responsibilities in 2022, according to Kroll’s latest Anti-Bribery and Corruption Benchmarking Report.

CW2022 SEC commissioners

SEC commissioners address CCO liability, crypto regulation, more at CW2022


Two SEC commissioners from opposite sides of the political aisle took slightly different positions on how to assess the liability of poor performing chief compliance officers as part of the Day 2 opening keynote at Compliance Week’s National Conference.


SEC to increase staffing around crypto asset-related investigations


The Securities and Exchange Commission announced plans to nearly double the number of employees assigned to its Cyber Unit, which has had its name changed to emphasize the agency’s pursuit of crypto asset-related investigations.


CPE Webcast: Cybersecurity and third-party risk: Third-party threat hunting

2022-05-03T14:00:00+01:00Provided by

Learn how to build a third-party risk management program with cybersecurity risk at the forefront.


CPE Webcast: The dangers of hidden email data

2022-04-25T14:00:00+01:00Provided by

Where is your unstructured data lurking? With a record number of cyberattacks and the introduction of robust privacy laws like the GDPR and CPRA, it’s time to discover your data.


CPE Webcast: Data security 101 for compliance teams

2022-04-21T14:09:00+01:00Provided by

Compliance departments must be up to speed with emerging cybersecurity threats. This includes understanding the new technologies, processes, and procedures their organization will need to employ to ensure they don’t run afoul of the modern data privacy environment.

Rising data

AA study: Cybersecurity breach disclosures surge in 2021


The number of cybersecurity breaches disclosed by public companies in 2021 increased 44 percent while reports of ransomware attacks also surged, according to the latest Audit Analytics study.

Cash App

Cash App breached by former employee; 8.2M affected


Approximately 8.2 million U.S. customers of Cash App Investing have been notified of a data breach carried out by a former employee of the mobile payment service provider.


Q1 roundup: SEC tackles climate disclosures, businesses navigate Russia restrictions, more


Regulation and guidance from U.S. agencies and the White House, plus compliance challenges stemming from a two-year global pandemic and Russia’s ongoing invasion of Ukraine, made the first quarter of 2022 a novel risk environment for regulated businesses.

Data lock

Closing the data risk gap: How technology enables data protection


Legal and compliance teams ranked data privacy and cybersecurity threats the No. 1 biggest risk entering 2022. Further survey results reveal roadblocks to organizations’ proactive compliance.


Ukrainian telecom victim of ‘powerful’ cyberattack


Ukrainian telecommunications company Ukrtelecom is in the process of restoring its services after a “powerful” cyberattack wreaked havoc on its operations.


Five insights gleaned from PCAOB audit committee chair report


The Public Company Accounting Oversight Board published its annual report highlighting feedback received from its discussions with audit committee chairs at U.S. public companies during the previous year.

GDPR EU flag

How EU regulators are warning of Russian data protection threats


Regulators in Norway, Germany, Lithuania, Estonia, Denmark, and Sweden address how companies can prepare for increased data protection and cybersecurity risks in the wake of Russia’s invasion of Ukraine.

FTC seal

Former CafePress owner to pay $500K in FTC settlement over data breach


Residual Pumpkin Entity, the former owner of CafePress, must pay $500,000 in redress under a proposed settlement with the Federal Trade Commission addressing allegations CafePress failed to secure personal data and covered up a data breach.

Facebook Ireland

Meta fined $18.6M under GDPR for 2018 data breaches


The Irish Data Protection Commission fined Meta’s Irish subsidiary 17 million euros (U.S. $18.6 million) for a series of personal data breaches that took place nearly four years ago.


SEC proposes companies report cybersecurity incidents within four days


Public companies would have to report material cybersecurity incidents no later than four business days after they occur if a rule proposed by the Securities and Exchange Commission takes effect.

Allison Herren Lee and Hester Peirce

Top 10 reasons to attend Compliance Week 2022


A keynote with two SEC commissioners; interactive sessions on global sanctions, ESG, and ethical leadership; and a new conference location and format highlight Dave Lefort’s list of reasons to be excited for CW’s first in-person event in nearly three years.

Russian hacker

Steps for preparing for potential Russian cyberthreats


As the West seeks to isolate Russia, the country might retaliate with state-sponsored cyberattacks. Although Russia is suspected to have launched such attacks before, the scale and scope could be much bigger this time, experts warn.

Colonial Pipeline

Colonial Pipeline names first chief information security officer


More than nine months after being targeted by a ransomware attack, Colonial Pipeline has named Adam Tice as its first chief information security officer.


Audit committees rolling with punches of evolving role


Two prominent audit committee chairs speak to the results of a Deloitte Center for Board Effectiveness and Center for Audit Quality report on audit committee practices and the major issues audit committees face today.


DOJ names head of crypto enforcement team


The Department of Justice named veteran prosecutor Eun Young Choi to serve as the first director of its newly created National Cryptocurrency Enforcement Team.


Third-party cybersecurity monitoring: Tips for keeping vendors honest


A continuous monitoring cybersecurity strategy for third-party risks goes a long way toward proactively identifying external vulnerabilities. At CW’s virtual Cyber Risk & Data Privacy Summit, a panel of experts shared leading practices.

Business defense

Why high-growth companies should prioritize data privacy


A group of experts at CW’s virtual Cyber Risk & Data Privacy Summit explained how complying with data privacy regulations from Day 1 can provide high-growth companies with certain competitive advantages.


Best practices to achieve a continuous assurance cybersecurity model


A panel of cybersecurity experts shared tips for achieving continuous assurance and getting necessary buy-in at CW’s virtual Cyber Risk & Data Privacy Summit.

Cyber Risk Rachael Pashkevich Koontz

Company cybersecurity certifications: Business case and where to start


Rachael Pashkevich Koontz, senior corporate counsel of cybersecurity compliance at T-Mobile, shared her opinions on cybersecurity certifications and determining the right fit for certain organizations at CW’s virtual Cyber Risk & Data Privacy Summit.

Bitcoin security

DOJ arrests in Bitfinex case highlight inner workings of crypto laundering scheme


The Department of Justice arrested two individuals over an alleged conspiracy to launder approximately $4.5 billion worth of cryptocurrency stolen in the 2016 hack of digital asset trading platform Bitfinex.


How Accor manages global data privacy compliance


Marie-Christine Vittet, vice president of compliance at hospitality chain Accor, shares with Compliance Week the company’s journey toward a global data privacy compliance program.


Cosmote, parent company OTE fined $10.6M under GDPR


The Hellenic Data Protection Authority fined mobile phone operator Cosmote and its parent company OTE a total of €9.25 million (U.S. $10.6 million) for a data breach caused by a September 2020 cyberattack and for illegally processing customer data.

Ransomware Epilogue

Epilogue: What happened to Betsy?


The “patient zero” of fictional private utility company Vulnerable Electric’s ransomware crisis learns her fate.

Ransomware Chapter 4

Chapter 4: Recovery and lessons learned post-ransomware attack


Whether fictional private utility company Vulnerable Electric pays the ransom or not in the aftermath of its cyber incident, the two pathways quickly splinter off in different directions with varied endings, each with important lessons to be learned.

Ransomware Glossary

Ransomware case study glossary


The field of cybersecurity features a growing list of terminology to describe the many forms, channels, and motivations behind cyberattacks and hacking culture. Learn further definitions for some key terms featured throughout the ransomware case study.

Ransomware Chapter 3

Chapter 3: Ransomware eradication prompts tough choice: To pay or not to pay?


No matter what, the deck is stacked against fictional private utility company Vulnerable Electric as it weighs whether to pay the $5 million ransom demanded by a cybercriminal who breached its systems. Which path do you take?

Ransomware Chapter 2_2

Chapter 2, Part 2: Ransomware damage control and when to alert stakeholders


Systems at fictional private utility company Vulnerable Electric remain impacted in the aftermath of a ransomware attack, but the chief executive decides it’s time to be forthright with employees and customers.

Ransomware Chapter 2_1

Chapter 2, Part 1: Containment key to ransomware defense


With Day 2 of fictional private utility company Vulnerable Electric’s ransomware crisis comes the need to grasp the extent of its situation. The cyber incident response team’s synchronized efforts are pivotal as time is of the essence.

Ransomware Chapter 1_2

Chapter 1, Part 2: All hands on deck in C-suite ransomware response


Following the events that triggered a double extortion ransomware attack, the CEO of fictional private utility company Vulnerable Electric mobilizes her cyber incident response team to begin assessing the path forward to dealing with the cybercriminal(s).

Ransomware Chapter 1_1

Chapter 1, Part 1: Betsy’s human error triggers ransomware crisis


When one of fictional private utility company Vulnerable Electric’s most dedicated employees falls victim to a social engineering hack, her actions in the immediate aftermath are crucial to what will soon become a crisis for the C-suite.

Ransomware cover

CW case study offers 360-degree view of ransomware attack


Learn through the eyes of the C-suite at Vulnerable Electric, a fictional private utility company impacted by a significant ransomware attack, as part of Compliance Week’s third case study.

Water system

Biden plan to expand cybersecurity collaboration with water sector


The Biden administration announced an action plan to collaborate with owners and operators in the water sector to deploy technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings.


Gensler says SEC to consider new rules for cybersecurity, data privacy disclosures


The Securities and Exchange Commission is kicking the tires on new cybersecurity and data privacy disclosure requirements for investment companies, investment advisers, broker-dealers, and public companies, according to agency Chair Gary Gensler.


NAVEX: Top 10 risk and compliance trends for 2022


Diversity, equity, and inclusion; prioritizing ESG; business continuity; and more highlight the latest edition of NAVEX’s annual list of risk and compliance trends worth monitoring.


Report: GDPR fines surpass $1B in 2021; breach notifications also rise


Nearly €1.1 billion (U.S. $1.2 billion) worth of fines have been issued against organizations in the past year for violations of the General Data Protection Regulation, according to the latest annual report by law firm DLA Piper.


Accellion to pay $8.1M in proposed data breach settlement


The Accellion data breach that last year affected a variety of private- and public-sector organizations and compromised the personal data of millions of individuals could be resolved in an $8.1 million class-action settlement.

Morgan Stanley

Morgan Stanley agrees to $60M settlement over compromised personal data


Morgan Stanley has agreed to establish a $60 million fund to settle a class-action lawsuit filed by nearly a dozen customers regarding personal data that was compromised when the bank decommissioned two wealth management centers.


DiMauro: Seven compliance areas to watch in 2022


If 2021 was about transition under the Biden administration, 2022 is looking as if it will be a year of action. CW Director of Compliance Programs & Training Julie DiMauro shares her list of key areas she expects to receive enhanced scrutiny in the year ahead.


Desjardins reaches $155M proposed settlement in data breach class action


Desjardins Group has reached a proposed C$201 million (U.S. $155 million) settlement agreement in a class-action lawsuit following a long-running data breach that ultimately compromised the personal information of nearly 10 million individuals in Canada and abroad.


Cybersecurity trends continue in 2021 audit committee transparency report


The most dramatic increase in audit committee disclosures in proxy statements for the second consecutive year was in responsibility for cybersecurity risk oversight, according to the latest report from the Center for Audit Quality and Audit Analytics.